how to calculate time between events for the past ...

sabinayousoubuv · ‎11-24-2019

Hello,

I have an index for a symantec produt, and I have to write a search to alert if any of the sourcetypes doesn't get any data in for a certain amount of time.

Calculating the time is a little tricky for me, since it has to ba searches this way:

Searching for the time differences between all events by sourcetypes for the last month, and make a summary of it.

The alert should apear everytime the index won't get data from a certain sourcetype for longer time than the result from the search above.

I would realy love to get some help,
thank you!

woodcock · ‎11-24-2019

Don't reinvent the wheel; this has been solved many times including:
Meta Woot!: https://splunkbase.splunk.com/app/2949/
TrackMe: https://splunkbase.splunk.com/app/4621/,
Broken Hosts App for Splunk: https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts): https://splunkbase.splunk.com/app/3796/
Splunk Security Essentials(https://docs.splunksecurityessentials.com/features/sse_data_availability/): https://splunkbase.splunk.com/app/3435/
Monitoring Console: https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server: https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...

how to calculate time between events for the past month

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!